coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(privacyidea): disable response signing + raise rate limit to unblock login

Browse Source 
PI_NO_RESPONSE_SIGN=True works around Werkzeug 3.x crash where request.json
raises BadRequest on GET requests with empty bodies (sign_response path).

Rate limit raised from 20/5 to 200/100 req/min to allow the AngularJS UI's
burst of ~50 parallel static asset requests on each page load without being
throttled by Traefik. TODO: split tight /auth+/validate vs loose /static limits.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch
2026-03-25 01:55:10 +00:00
parent 23e0b43318
commit c0e330ee4e
2 changed files with 10 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
sso-mfa/k8s/privacyidea/configmap.yaml
View File

@@ -43,3 +43,8 @@ data:
# Scripts folder for event handlers (leave default unless customising).
PI_SCRIPT_FOLDER = "/etc/privacyidea/scripts"
# Disable response signing — sign_response crashes on GET requests with
# Werkzeug 3.x because request.json raises BadRequest for empty bodies.
# The audit keys are still used for audit log signing.
PI_NO_RESPONSE_SIGN = True

10
sso-mfa/k8s/privacyidea/middleware.yaml
View File

@@ -13,9 +13,9 @@
# ── Rate limit — all PI endpoints ────────────────────────────────────────────
# Applies globally to pink.coulomb.social.
# Primary protection for /validate/check (OTP verification) and /auth.
# 20 requests/minute per client IP; burst of 5 allowed.
# Adjust average/burst upward if legitimate automation (e.g. Keycloak Provider)
# triggers false positives — or exclude the Keycloak source IP at network level.
# 200 requests/minute average; burst of 100 to allow the ~50 parallel static
# asset requests the AngularJS UI fires on every page load.
# TODO: split into a tight limit for /auth+/validate and a loose one for /static.
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
@@ -26,9 +26,9 @@ metadata:
net-kingdom/component: mfa
spec:
rateLimit:
average: 20
average: 200
period: 1m
burst: 5
burst: 100
---
# ── Admin path allowlist — restrict WebUI to internal/VPN IPs ────────────────
# Applied to the /admin/* Ingress (see ingress.yaml — separate Ingress for /admin/).